On Thu, Apr 30, 2020 at 2:47 PM Ted Lemon wrote:
> On Apr 30, 2020, at 2:31 PM, Michael StJohns
> wrote:
>
> Because an attacker can twiddle with a CNAME. So while the recipient sees
> a CNAME pointing at a validatable end item, that may not have been the end
> name the publisher provided. I'
On Thu, Apr 30, 2020 at 11:14 AM Ted Lemon wrote:
>
> To be clear, I think that if we’ve been asked to do DNSSEC, we should
> always validate what we can when the answer includes some data that is
> provably insecure and some data that is provably secure and can be
> validated. I just don’t think
On Thu, Apr 30, 2020 at 9:44 PM John Levine wrote:
> In article you write:
> >Yep, I suspect some of the bigger TLDs probably couldn't opt in to this
> >draft simply because they're full of, um, "history". Until that history
> >is cleaned, they probably couldn't deploy it.
>
> It's not just his
Hi Bob,
On 1 May 2020, at 14:02, Bob Harold wrote:
> Is there any chance that a user trying to reach https://example.com could get
> the orphan glue A record for example.com instead of the A record in the real
> zone?
If the A record is orphan glue, there is no real zone (by being orphaned, i
On Thu, Apr 30, 2020 at 9:44 PM John Levine wrote:
I think it's benign to allow any sort of record as an immediate child
of the domain, since you need to go two levels down for split zones.
That handes the nominet and zz--zz cases.
Is there any chance that a user trying to reach https://examp
Hi John,
On 1 May 2020, at 14:23, John R Levine wrote:
>> On Thu, Apr 30, 2020 at 9:44 PM John Levine wrote:
>>> I think it's benign to allow any sort of record as an immediate child
>>> of the domain, since you need to go two levels down for split zones.
>>> That handes the nominet and zz--zz
In a sense, a glue record with the same owner name as a zone cut could be
equivalent to a glue record with an owner name that is subordinate to a zone
cut. I don't have enough of the spec in my head to know why they would
definitively be different from the protocol perspective. I realise it's n
Joe Abley writes:
> Anyway, I am fairly confident in saying that there are legitimate,
> normal operational processes that can result in orphan glue, and that
> it's not correct to infer that they all exist for reasons of poor
> hygiene.
For the record: I certainly (and I doubt Paul) envisioned
